Skip to content

Sandbox CSS-only build dependencies#1709

Merged
charmander merged 5 commits into
Weasyl:mainfrom
charmander:assets-builder
Jun 5, 2026
Merged

Sandbox CSS-only build dependencies#1709
charmander merged 5 commits into
Weasyl:mainfrom
charmander:assets-builder

Conversation

@charmander

Copy link
Copy Markdown
Contributor

Involves upgrades to Deno 2.8.1 and Dart Sass 1.100.0. See individual commits for details.

This comment was marked as resolved.

Comment thread build-css.ts Dismissed
Limits the damage a compromised package in the Autoprefixer/PostCSS/Sass dependency trees can do, for example: malicious CSS output is bad, but not a trivial immediate disaster the way malicious JS or SVG output would be.

The Dart Sass version upgrade is included because we’re switching packages anyway.

Causes an 18-byte increase in CSS size as a couple of rules are split into multiple ones with the same selector ([Dart Sass 1.92.0][] change to nested selectors interleaved with declarations), and the build output is otherwise unchanged.

Esbuild is the only remaining dependency with full-process privileges for now.

Increases full build time (`wzl assets --nobuild`) by 10–40% for me, but the difference with `wzl assets-watch` is unnoticeable.

[Dart Sass 1.92.0]: https://github.com/sass/dart-sass/blob/main/CHANGELOG.md#1920
For best sandbox effectiveness, we need V8s new enough that our dependencies can’t use public exploits against them, for one. (At least net permission is denied at runtime.)

[The Deno Docker images’ build process][1] doesn’t involve any signature check (it downloads the release and its hash from `dl.deno.land`), which is a little disturbing. I’m grateful that the result is a single file, since the zip file appears to have immediate access to execute arbitrary code (extracted in `/`, could contain a +x `usr/local/bin/chmod`) within the same layer where it’s extracted. I was unable to reproduce the binary for `docker.io/denoland/deno:alpine-2.8.1` with the most convenient `patchelf` to hand, so I switched to Debian, which is a step in the glibc direction I had been considering for other reasons anyway – other images to follow (or maybe we can get to distroless). I’ve only verified the amd64 image, and that’s the architecture that the pinned hash corresponds to. (This was a nice way to find out that the Dockerfile syntax now supports specifying both a tag and a hash.) The build process also does the same unverified download of a mutable GitHub tag with tini, so we bypass its tini.

On the GitHub side, Deno releases have become immutable and added attestations since 2.3.5, which is a good start.

[1]: https://github.com/denoland/deno_docker/blob/3a42f7964cd68395bb95dd39882b3b0e2f436a8a/bin.dockerfile#L14-L23
Reduces the net `wzl assets --nobuild` performance hit from ~40% to ~15%.
fixing cache for non-npm packages for Docker build.
@charmander charmander merged commit e862729 into Weasyl:main Jun 5, 2026
4 checks passed
@charmander charmander deleted the assets-builder branch June 5, 2026 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants